Does Lucee ignore CFID/CFTOKEN in the URL when using cookies?

If I’m using client cookies with these settings and someone pastes a cfid/cftoken in a URL, does Lucee still do a lookup on the values entered in the URL? Can I force Lucee to ignore it?

this.clientManagement = true;
this.setClientCookies = true;
this.httpOnlyCookies = true;
this.secureJSON = true;
this.sessionTimeout = CreateTimeSpan(0, 0, 20, 0);

Having Cftoken/CFID in the URL is old practice and bad practice using it nowadays. I’d turn it off completly.

1 Like

Correct. I understand you should not use them. I’m asking if a user or a bot has it in the URL, does Lucee do anything with it? Or is there a setting to completely ignore cfid/cftoken in the URL?

I think it will try honouring url tokens/id. if these have already been allocated before, cfml will identify them because that is a given basic cfml legacy functionality. I havent heard about a functionality to turn the URL session tokens to be ignored, but you could do something programatically to force an abort as soon as they are being passed in the query string.

I also don’'t know what would happen if there is a cookie/url mismatch. i’m pretty sure cookie will take precedence. But this is something you could test to see